A log management system (LMS) is a system for creating, receiving, processing, releasing, and transferring of security log data. Its main objectives include detecting and preventing unauthorised access and abuse, and meeting regulatory requirements. One of its main components is the classification of events to make decisions related to archiving and to invoking responses to certain events. Most current approaches to LMS design are system dependent and involve specific hardware (e.g., firewalls, servers) and commercial software systems. This paper presents a theoretical framework for LMS in terms of a flow-based conceptual model with emphasis on security-related events. The framework includes four separate flow systems: active system, log system, alarm system, and response system. All systems are composed of five inclusive stages: receiving, processing, creating, releasing, and transferring. The experimental part of the paper concentrates on log analysis in the processing stage in the log system. We select actual log entries and classify them according to these five stages
